Xi Wang, Zhilei Xu, Xuezheng Liu, Zhenyu Guo, Xiaoge Wang, and Zheng Zhang
Region-based memory management is a popular scheme in systems software for better organization and performance. In the scheme, a developer constructs a hierarchy of regions of different lifetimes and allocates objects in regions. When the developer deletes a region, the runtime will recursively delete all its subregions and simultaneously reclaim objects in the regions. The developer must construct a consistent placement of objects in regions; otherwise, if a region that contains pointers to other regions is not always deleted before pointees, an inconsistency will surface and cause dangling pointers, which may lead to either crashes or leaks.
This paper presents a static analysis tool RegionWiz that can find such lifetime inconsistencies in large C programs using regions. The tool is based on an analysis framework that generalizes the relations and constraints over regions and objects as conditional correlations. This framework allows a succinct formalization of consistency rules for region lifetimes, preserving memory safety and avoiding dangling pointers. RegionWiz uses these consistency rules to implement an efficient static analysis to compute the conditional correlation and reason about region lifetime consistency; the analysis is based on a context-sensitive, field-sensitive pointer analysis with heap cloning.
Experiments with applying RegionWiz to six real-world software packages (including the RC compiler, Apache web server, and Subversion version control system) with two different region-based memory management interfaces show that RegionWiz can reason about region lifetime consistency in large C programs. The experiments also show that RegionWiz can find several previously unknown inconsistency bugs in these packages.
Publisher Programming Language Design and Implementation (PLDI)